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Abstract 

Open networks allow users to communicate without any 
prior arrangements such as contractual agreement or 
organisation membership. However, the very nature 
of open networks makes authenticity difficult to verify. 
We show that authentication can not be based on pub- 
lic key certificates alone, but also needs to include the 
binding between the key used for certification and it's 
owner, as well as the trust relationships between users. 
We develop a simple algebra around these elements and 
describe how it can be used to compute measures of au- 
thenticity. 

1 Introduction 

For the distribution of public keys in open networks 
it is not conceivable to have a single global author- 
ity that is trusted for key generation and distribution 
because there will always be different administrative 
domains which typically will have conflicting economi- 
cal and political interests. In this situation, each agent 
has to decide for herself which other agents she wants to 
trust for key distribution, and based on this determine 
the legitimacy of received certificates and the authen- 
ticity of keys. In this paper we propose a simple algebra 
for trust than can be used to determine authenticity of 
received keys. The algebra builds on the authenticity 
metric described in [5]. Previously proposed metrics 
and algebras of authentication have been discussed in 
[8, 5]. 

Technically seen, humans do not sign cryptographic 
certificates, keys do. However, it is usually assumed 
that human agents are using cryptographic keys as a 
tool to make certificates so that practically speaking 
humans do sign certificates. For this assumption to 
be correct it is essential to explicitly express trust in 
the binding between the key used for certification and 
it's owner, because failing to do so would deprive any 
authentication scheme of it's relationship to humans, 
and would turn the scheme into authentication for and 



by keys. The key-to-owner binding can not be objec- 
tively assessed, and necessarily becomes a subjective 
measure, meaning that two individuals can have differ- 
ent opinions about any particular binding. 

To have established the binding between a key and 
it's owner is not enough for accepting certificates pro- 
duced by it if for example the key owner deliberately 
certifies flawed keys. Another essential element of the 
algebra is therefore to consider the trustworthiness of 
the certifying agents themselves for the purpose of rec- 
ommending keys by certification. As for the bind- 
ing, the recommendation trustworthiness also becomes 
a subjective measure, meaning that an agent who is 
trusted by me does not have to be trusted by you. 

In [3] we argued that trust simply is a human belief, 
involving a subject (the trusting party) and the object 
(the trusted party). Trust in the key-to-owner binding 
can for example be expressed as believing that: "the 
key is authentic", whereas trust in the certifier is to 
believe that "he will only certify keys that he considers 
authentic" . 

In can here be added that the security of a system 
never can be objectively and universally assessed. It is 
always done by some individuals who may be qualified 
for that purpose, and the rest of us simply have to 
believe them. In that sense, trust in a system is a 
subjective measure of that system's security, and trust 
in a key is a subjective measure of its authenticity. We 
claim that there can be no other measure for security 
and authenticity than subjective trust. 

2 The Trust Model 

The trust model is based on a general model for ex- 
pressing beliefs, or more precisely for expressing rela- 
tively uncertain beliefs about the truth of statements. 
The statements themselves must be crisp, i.e. they 
must be assumed to be either true or false, and not 
something in between. This way of modelling uncer- 
tainty is almost the exact opposite to fuzzy set theory 
where a fuzzy statement such as for example 11 tall per- 
son" defines the fuzzy set of tall persons, and a crisp 



measure such as for example the height of a person 
measured in foot or cm combined with a membership 
function determines a person's degree of membership 
in the fuzzy set. Although "trust' is a fuzzy statement 
we do not see how fuzzy set theory could be used to 
model trust because there can be no crisp and reliable 
measure associated with trust. 

In our model we focus on crisp statements that de- 
scribe particular types of trust. A statement such as: 
"the key is authentic" can be assumed to be either true 
or false, and not something in between, and is there- 
fore a crisp binary statement. The same can be said 
about the statement "the agent will cooperate during 
our next interaction" , and we will interpret belief in 
such statements as trust. However, we will not at- 
tempt to use crisp measures to assert the validity of 
these statements. Because of our imperfect knowledge 
about reality it is in fact impossible to know with cer- 
tainty whether such statements are true or false, so that 
we can only have an opinion about it, which translates 
into degrees of belief or disbelief as well as uncertainty 
which fills the void in the absence of both belief and 
disbelief. We express this mathematically as: 



Uncertainty 



b + d + u = l, {b, d, it} £ [0, l] 3 



(1) 



where b, d and u designate belief, disbelief and un- 
certainty respectively. 

Definition 1 Opinion 

Let to = {b, d, u) be a triplet satisfying (1) where the 
first, second and third component correspond to belief, 
disbelief and uncertainty respectively. Then to is called 
an opinion. □ 

Eq.(l) defines the triangle of Fig.l, and an opinion 
can be uniquely described as a point {b, d, u) in the 
triangle. As an example, the opinion to = {0.8, 0.1, 0.1} 
is represented as a point in the triangle. 

The horizontal bottom line between belief and disbe- 
lief in Fig.l represents situations without uncertainty 
and is equivalent to a traditional probability model. 
Uncertainty is caused by the lack of evidence to sup- 
port either belief or disbelief. In order to illustrate the 
interpretation of the uncertainty component we will use 
the following example, which is cited from [2]. 

"Let us suppose that you confront two urns contain- 
ing red and black balls, from one of which a ball will be 
drawn at random. To 'bet on Redi' will mean that you 
choose to draw from Urn I; and that you will receive a 
prize a (say $100) if you draw a red ball and a smaller 
amount b (say $0) if you draw a black. You have the 
following information: Urn I contains 100 red and black 
balls, but in ratio entirely unknown to you; there may 
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Figure 1: Opinion Triangle 
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be from 0 to 100 red balls. In Urn II, you confirm that 
there are exactly 50 red and 50 black balls." 

For Urn II, most people would agree that the proba- 
bility of drawing a red ball is 0.5, because the chances 
of winning or loosing a bet on Redn are equal. For Urn 
I however, it is not obvious. If however one was forced 
to make a bet on Redi, most people would agree that 
the chances also are equal, so that the probability of 
drawing a red ball also in this case must be 0.5. 

This example illustrates extreme cases of probabil- 
ity, one which is totally certain, and the other which is 
totally uncertain, but interestingly they are both 0.5. 
In real situations, a probability estimate can never be 
absolutely certain, and a single valued probability esti- 
mate is always inadequate for expressing an observer's 
subjective belief regarding a real situation. By using 
opinions the degree of (un) certainty can easily be ex- 
pressed such that the opinions about Redi and Redn 
become to\ = {0, 0, 1} and ton = {0.5, 0.5, 0.0} re- 
spectively. 

Opinions as defined in Def.l are in fact 2-dimensional 
measures, consisting of a probability dimension and 
an uncertainty dimension. By hiding the uncer- 
tainty dimension, opinions can be projected onto a 1- 
dimensional probability space to produce a probability 
expectance value given by 



E({&,d,«}) 



b + u 



b + d + 2u 



(2) 



Opinions can be strictly ordered by first ordering 
opinions according to probability expectancy, and sub- 
sequently ordering those with the same probability ex- 
pectancy according to certainty. By taking the exam- 
ples with the urns, we for example have that E(wi) = 
E(wn) but u)\ < u)\\. 



3 Subjective Logic 

The algebra for determining trust in certification chains 
will be based on a framework for artificial reason- 
ing called Subjective Logic which has already been de- 
scribed in [4, 7, 6, 5]. Subjective Logic defines vari- 
ous logical operators for combining opinions. Since an 
opinion can be interpreted as an uncertain probability 
measure Subjective Logic can be called a calculus for 
uncertain probabilities. 

Subjective Logic contains the equivalent of the tra- 
ditional logical operators such as conjunction (AND), 
disjunction (OR) and negation (NOT), as well as some 
non-traditional operators such as recommendation and 
consensus. In the certification algebra described in the 
next section only the operators conjunction, recom- 
mendation and consensus are needed. For simplicity 
only these three operators will be defined here. 

The symbol to will be used to denote trust. Accord- 
ing to the subject-object duality of trust, we will in 
addition use superscripts to indicate the subject and 
subscripts to indicate the believed statement, so that 

to A = {b A ,d A ,u A } 

represents agent A's belief about p, where for example 
p: "the key is authentic" , meaning that "A believes that 
the key is authentic" to the degree expressed by the 
belief, disbelief and uncertainty components bp, dp, 
and Up respectively. Such opinions are the input and 
output parameter for the operators defined below. 

Definition 2 Conjunction 

Let Up = {bp , dp , u^} and oj a = {b A , d A ,u A } be agent 
A's opinions about two distinct binary statements p and 
q. Then the conjunction of tup 4 and oj a , representing 
A 's opinion about both p and q being true is defined by 
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b A u A + u A b A + u*u\ 



□ 



Conjunction of opinions is commutative and associa- 
tive and requires independent arguments so that the 
conjunction of an opinion with itself is meaningless. 
When applied to opinions with zero uncertainty, it is 
the same as serial multiplication of probabilities. When 
applied to opinions with absolute belief or disbelief (i.e. 
b = 1 or d = 1), it produces the truth table of logical 
binary AND. 
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Definition 3 Recommendation 

Let A and B be two agents where ojg 
A 's opinion about B 's recommendations, and let p be a 
binary statement where oj b = {bp 3 , d B ,u B } is B 's opin- 
ion about p expressed in a recommendation to A. Then 
A 's opinion about p as a result of the recommendation 
from B is defined by: 
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A u B . 



□ 



B's recommendation must be interpreted as what B 
actually recommends to A, and not necessarily as B's 
real opinion. It is obvious that these can be totally 
different if B for example defects. The recommenda- 
tion operator can only be justified when it can be as- 
sumed that recommendation is transitive, or more pre- 
cisely that the agents in a recommendation chain do not 
change their behaviour (i.e. what they recommend) as 
a function of which entities they interact with. How- 
ever, as pointed out in [3] and [1] this can not always 
be assumed, because defection can be motivated for 
example by antagonism between certain agents. 



{b B ,d B ,u B } be 



Definition 4 Consensus 

Let to A = {b A ,d A ,u A } and u B = {b B ,„ p ,„ p 
opinions respectively held by agents A and B about the 
same binary statement p. Then the consensus opinion 
held by an imaginary agent [A, B] representing both A 
and B is defined by: 
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{b A > B , d A > B , u A > B } 



(b A u B + b B u A )/(u A +u B -u A u B ), 
: (d A u B + d B u A )/(u A +u B - u A u B ), 
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u A u B ). 



□ 



Consensus is commutative and associative, and re- 
quires independent opinion arguments so that consen- 
sus of an opinion with itself is meaningless. The ef- 
fect of the consensus operator is to reduce the uncer- 
tainty. Opinions containing zero uncertainty can not be 
combined, but in practice consensus will normally be 
mixed with the recommendation operator, so that an 



agent receiving absolutely certain but conflicting rec- 
ommendations will introduce uncertainty by taking her 
opinions about the recommenders into account before 
making the consensus. However, two agents that hold 
conflicting opinions will only be able reach a common 
consensus if their opinions contain uncertainty. 

3.1 The Problem of Dependence 

It is possible that several recommendation chains pro- 
duce opinions about the same statement. Under the 
condition of opinion independence, these opinions can 
be combined with the consensus rule to produce a sin- 
gle opinion about the target statement. An example of 
mixed consensus and recommendation is illustrated in 
Fig.2. 

~C 

-4 " B: C "P 

Legend: » Trust 

Figure 2: Mixing consensus and recommendation 



corresponds to the left sides of (3) and (4) and is the 
only correct way to analyse the graph because it avoids 
opinion dependence. 

There will always be cases which can not be anal- 
ysed directly. Fig. 3 illustrates a situation where agent 
A needs to determine her opinion about statement p, 
of which she only has second-hand evidence trough a 
network of agents. 

A " B \ I J^E *p 

Legend: * Trust 

Figure 3: Network of trust that can not be completely 
analysed 

Whether the recommendations from D to C is ig- 
nored and thereby leaving out some of the evidence, 
or included and thereby violating the independence re- 
quirement, the result will never be as correct as one 
could wish. 



The recommendation rule is not distributive relative 
to the consensus rule. Let tUg, u)q, ujg, tUg, ujg and to® 
represent the opinion relationships in Fig.2. We then 
have 

+ (3) 

which according to the short notation in Defs.3 and 4 
can be written as 

, ,A(BC,BD)E _t_ , ABCE.ABDE / A \ 

w p T Up ■ (4 J 

The not-equal sign may seem surprising, but the 
right sides of (3) and (4) violate the requirement of 
independent opinions because both tog and to® appear 
twice. Only the left sides of (3) and (4) represent the 
graph of Fig.2 correctly. 

Explained differently, there are (at least) two ways 
of analysing this graph; According to the first method 
the two trust paths from A to p (the recommendation 
of course goes in the opposite direction) are analysed 
separately and finally combined by consensus. This 
method corresponds to the right sides of (3) and (4). 
According to the second method the sub-graph con- 
taining the nodes B, C, D and E is reduced to a single 
node by mixing recommendation and consensus. This 
sub-graph is analysed separately and the result is used 
as a sub-expression in the final analysis. This method 



4 Authentication and Certifica- 
tion in Open Networks 

4.1 The Certification Algebra 

Public keys can be exchanged manually or electroni- 
cally. For manual distribution, agent Al can for exam- 
ple meet agent A2 physically and give him a diskette 
containing her public key kAi, and A2 can give his 
public key kA2 to her in return. The keys can then 
be considered authenticated through the persons' mu- 
tual physical recognition, and can be used for establish- 
ing secure communication and for certification of other 
keys. 

For electronic key distribution, keys need to be rec- 
ommended and certified by someone whom the recip- 
ient trusts for recommending and certifying keys, and 
who's authenticated public key the recipient possesses. 
For example if Al possesses A2's public key kAi and 
A2 possesses A3's public key kA3, then A2 can send 
A3's public key to Al, certified by his private key k~^\. 
Upon reception, Al will verify A2's certificate, and if 
correct, will know that the received public key of A3 
is authentic, and can then establish secure communi- 
cation with A3. 

However, certificates are not enough. In order to get 
a binding between keys and key owners, the recipient of 
the certificate must have an opinion to£\ (k ■. about the 



key authenticity (KA) of the key used to certify, that is, 
her opinion about the binding between the certifier and 
his public key. In addition, the recipient must have an 
opinion Wrt(^2) about the certifier's recommendation 
trustworthiness (RT) , that is how much she trusts him 
to actually recommend and certify other keys. Finally, 
the certifier must actually recommend to the recipient 
his own opinion ^ A ^ k ^ about the authenticity of the 
certified key. This opinion must be embedded in the 
certificate sent to Al. 

There are of course other considerations, such as e.g. 
that the cryptographic algorithm can not be broken, 
but it is assumed that these conditions are met. 

We introduce the conjunctive recommendation term 

( lu rt(A2) A LU KA(k A 2^ wm °h we will give the following 
short notation: 

10 A2 = ( UJ RT(A2) A w KA(/fc A2 )) ( 5 ) 

In an environment of electronic message exchange, an 
agent can only be trusted to the degree that both the 
RT and the KA can be trusted. The conjunctive rec- 
ommendation term thus represents what in a normal 
interpersonal environment would be recommendation 
trustworthiness. The formal expression for trust based 
authenticity of certified keys can then be defined. 

Definition 5 Simple Authentication 

Al, A2 and A3 are three agents, Uai, ^ai and 
kA3 their respective public keys. Let ^>^A(k A2 ) ana ' 
lu rt(A2) be Al 's opinions about the authenticity of 
kA2, and about A2's recommendation trustworthiness 
respectively. Let ^KA(k AS ) ^ e A2's opinion about the 
authenticity of kA3 ■ Then Al 's opinion about the au- 
thenticity of kA3 is defined by: 

, ,A\ A2 _ , ,A1 ffl , ,A2 
W KA(t A3 ) ~ U A2 ® W KA(t A3 ) 

= ( W RT(^2) A W KA(*U2)) 0 W KA(*U3) 

□ 

In case the certification path goes through interme- 
diate certifiers opinions about recommendation trust- 
worthiness wrt must also be recommended along the 
path and embedded in the certificate together with the 
certified key. The recommendation trustworthiness RT 
not only applies to immediate certification of keys, but 
also to the recommendation of other agents for further 
recommendations. In [7] these two types of trustwor- 
thiness were treated separately and called CT (certifi- 
cation trustworthiness) and RT respectively. However, 
since they necessarily are dependent, separate treat- 
ment would lead to computational inconsistencies, and 
we therefore use only RT to denote both types of trust- 
worthiness. 



Definition 6 Chained Authentication 

Let the agents Al, An—1, An, have chained trust 
and certification relationships. Al 's opinion about the 
authenticity of kA n can then be expressed by simply in- 
serting the intermediate terms into the expression: 

= (^RT(A2) A ^KA(k A2 ))®---® 

i An-2 a , ,An-2 \ ~ An-1 

□ 

The framework defined above can now be used 
to compute the relative authenticity of keys received 
through an open computer network. If desirable, the 
algebra can be reduced to a one-dimensional probabilis- 
tic calculus by using opinions without uncertainty, i.e. 
u = 0 (but in this case the consensus operator must 
be modified). The algebra can also be reduced to bi- 
nary logic by only allowing binary belief components, 
i.e. b = 0 or b = 1 (also requiring a modified consen- 
sus operator) . The full two-dimensional algebra will be 
used in the examples below. 

4.1.1 Example: Receiving Certificates. 

Fig. 4 illustrates a possible structure of certified pub- 
lic keys as stored in agent A's private database. The 
structure above the dotted line represents the situation 
before any keys are received electronically, whereas the 
structure underneath is added after receiving keys elec- 
tronically. The dotted line also indicates the separation 
between the keys for which the trust is based on first- 
hand and second-hand evidence, as seen by A. 




Figure 4: Structure of keys and certificates in agent A's 
database 



This structure makes no assumption about any bind- 
ing between key owners and certificates. In addition 
agent A must therefore keep a list of her opinions lu^a 
about key authenticity, that is, her opinions about 
binding between keys and key owners. Tab.l below 
gives an example of possible opinion values. Although 
it is not shown, a one-to-many binding between an 
agent and her different keys can perfectly well be ac- 
commodated within this structure. 



Key 
k x 


Key owner 
X 


Key Authenticity 


k A 


A 


{1.00, 0.00, 0.00} 


k B 


B 


{0.98, 0.00, 0.02} 


kc 


C 


{0.97, 0.00, 0.03} 


k D 


D 


{0.98, 0.00, 0.02} 



Table 1: A's first-hand opinions about the binding be- 
tween keys and their owners 



Key Authenticity 


W KA(t E ) 


= {0.98, 0.00, 0.02} 


-g 1 *■ 

^KAikp) 


= {0.95, 0.01, 0.04} 


^KAfkp) 


= {0.98, 0.00, 0.02} 


UJ KA(k G ) 


= {0.90, 0.05, 0.05} 



Table 3: Recommended key authenticity received by A 



Recommendation Trustworthiness 


W RT(,E) 


= {0.99, 0.00, 0.01} 


-g 1 — 

W RT(f ) 


= {0.98, 0.01, 0.01} 


C 

W RT(F) 


= {0.90, 0.00, 0.10} 


RT(G) 


= {0.99, 0.00, 0.01} 



Table 4: Recommended agent trustworthiness received 
by A 



Agent A must also keep a list of her opinions tu^ T 
about recommendation trustworthiness, that is how 
much she trusts the key owners to actually recommend 
other keys and other agents. Tab. 2 below gives an ex- 
ample of possible opinion values. 



Key owner 
X 


Recommendation Trustworthiness 

W RT(X) 


A 


{1.00, 0.00, 0.00} 


B 


{0.96, 0.02, 0.02} 


C 


{0.97, 0.01, 0.02} 


D 


{0.90, 0.00, 0.10} 



Table 2: A's first-hand opinions about agent trustwor- 
thiness 



It is assumed that A knows B, C and D personally 
and therefore has first-hand evidence about their rec- 
ommendation trustworthiness. It is also assumed that 
A's opinions about key authenticity is based on having 
physically exchanged public keys with them. 

Let A receive the public keys of agents E, F and 
G electronically. Embedded in the certificates are also 
the certifying agents' opinions about the key authentic- 
ity and recommendation trustworthiness according to 
Tabs.3 and 4. 

The authenticity of for example kE as seen by A can 
now be computed by using Def.5: 



W KA(/i E ) - ( W RT(B) A ^KA(fes) ) ® W KA(fe) 

(6) 

= {0.922, 0.000, 0.078} 

When there are several certification paths to the 
same key, the authenticity can be computed as the 
consensus between the authenticities obtained for each 
path. The authenticity of kp as seen by A can then be 
computed as: 

W Kf(t C ) = (( W RT(B) A W KA(/t B )) ® ^KA(k F )) © 
(( W RT(C) Aw KA(fc c )) ® W KA(t F )) 

= {0.951, 0.004, 0.045} 

(7) 

When certificates pass through a chain of nodes, rec- 
ommendation of each node must be included in the ex- 
pression. The authenticity of ko as seen by A can be 
computed as: 

U KA(k a ) = KtT(B) A W KA(fc B )) ® 

( W RT(,E) A W KA(fe)) ® W KA(fc) (g) 

= {0.821, 0.046, 0.133} 

The added structure of new certificates is illustrated 
in lower part of Fig. 4. Although A now has opinions 
about the authenticity of the public keys of E, F and G, 
these opinions should never be passed to other agents. 
This will be explained in Sec. 4. 2 below. 



4.2 First-Hand and Second-Hand Evi- 
dence 

Whenever an agent sends certificates to other agents, 
opinions about key authenticity and recommendation 
trustworthiness must always be included. However, 
opinions based on recommendations from other agents, 
i.e. second-hand evidence, should in principle never be 
passed to other agents. This is because the recipient 
may receive recommendations from the same agents, 
causing opinion dependence when using the consensus 
operator. Only opinions based on first-hand evidence 
and experience should thus be recommended to other 
agents. 

The problem can occur for example in the situa- 
tion illustrated in Fig. 5 where agents B and C have 
a second-hand opinion about agent E and his public 
key based on a recommendation from D. 

Legend: 

» Trust based on first-hand evidence 

-=- Trust based on second-hand evidence 

Figure 5: Trust relationships based on first-hand and 
second-hand evidence 

If B and C recommend their opinions about E to A 
as if they were based on first-hand evidence, i.e. with- 
out telling that they were based on recommendations 
from D, A would compute the following key authentic- 
ity for Ue'- 

Incorrect: 

ABD,ACD _ 
W KA(fe) - 

(( W RT(B) Aw KA(t B )) © (Q) 
(«T(C) A W KA(M) 0 W KA(fe))) © 
(( W RT(C) Aw KA(t c) ) © 

((w£ T(D) A w£ A(M ) ® w£a(a b ))) • 

The fact that the term to^x(k E ) a PP ears twice in the 
expression and thereby violates the independence re- 
quirement would in fact be hidden for A, causing her 
to compute an incorrect key authenticity. 

Instead, B and C should only recommend D to A, 
and D should recommend E to A. Alternatively B and 
C can pass the recommendations they received from D 
unmodified to A, because it does not matter who sent 
it as long as it is certified by D. With this information, 
A is able to compute the correct authenticity: 



Correct: 

(AB,AC)D _ 
W KA(A B ) - 

((( W RT(B) A W KA(t B )) © ^Rt(D) A W KA(fe))) © 
(( W RT(C) A W KA(t c )) © ( W RT(Z3) A W KA(t B )))) © 
W KA((; E ) • 

(10) 

To recapitulate, the rule for passing recommenda- 
tions between agents is that recommendations must al- 
ways be based on first-hand evidence. 

4.3 Trust-based Navigation on Open 
Networks 

Reliable authentication of public keys must always be 
based on an unbroken chain of certificates and recom- 
mendations. However, a path may be difficult to find 
even if theoretically it exists. Introducing hierarchies 
of certification authorities (CA) can be used to over- 
come these problems without being in conflict with the 
philosophy of open networks, and each user should be 
allowed to choose which CA he or she wants to use. 

According to the scenario described in Sec. 4.1 first- 
hand evidence is obtained by having had direct expe- 
rience with an agent and physically exchanging keys. 
This means that the relationship between CAs and 
users needs to be rather intimate, for example similar 
to a bank's relationship with it's customers. 

By requiring recommendations to be based on first- 
hand evidence only, the problem of certificate revoca- 
tion is drastically reduced because the recommender 
will always have full overview of every recipient of a 
particular certificate, and is thereby able to inform 
them efficiently in case of revocation. In addition, users 
never need to worry about trust intransitivity, or in 
other words that the CA they trust trusts another CA 
which they would not trust, because a user is always 
informed about the identity of every intermediate node 
in a chain and may in fact override the received recom- 
mendation trustworthiness value if he happens to have 
an opinion about that particular CA. 

4.3.1 Example: Establishing Certification 
Paths. 

Fig. 6 shows a network of users 
(G,H,I,J,K,L,M,N,0,P) and certification au- 
thorities (A, B, C, D, E, F). In this example we require 
that every CA must at least be related to one CA 
on a superior plane, except for those already on the 
top plane, and that CAs on the top plane must all be 
related. 



Certification level 2 



Certification 
level 1 




could have obtained recommendations for C and 
D from them, and further for A and B. 



Legend: 



Opinion about RT and KA 
Opinion about KA only 
Opinion about RT only 



Figure 6: Trust based on first-hand evidence 



The plain arrows indicate trust for the purpose of 
recommendation and for key authenticity. The plain 
one-way arrows between users and CAs indicate that a 
user trusts a CA to certify and recommend, but not the 
opposite. The dashed arrows between CAs and users 
indicate that a CA has an opinion about the authen- 
ticity of a user's public key. CAs that are connected 
with plain two-way arrows trust each other mutually, 
and so do the users. This means that CAs can cer- 
tify public keys of users and other CAs, but can only 
recommend CAs for further recommendation, whereas 
users can certify public keys and recommend both CAs 
and other users to each other. The dotted arrows indi- 
cate trust for the purpose of recommendation, meaning 
that a user can have an opinion about a C A without the 
CA knowing anything about the user. Two agents that 
are not connected with either plain, dashed or dotted 
arrows indicates that they are totally ignorant about 
each other, i.e. that they have the opinion {0,0,1} 
about each other regarding RT and KA. It should be 
noted that the arrows in Fig. 6 perfectly well can repre- 
sent distrust, so that users and CAs can use the same 
model to blacklist other users and CAs. 

We will use the short notation to give a few examples 
of how key authenticity can be expressed. 

• ^ka^) 413 ' ^ s trust in kj based on recommen- 
dations via C and via CAD. However, G has a 
first-hand opinion <^ T ^ about A's recommenda- 
tion trustworthiness, and may use it to replace the 
one received from C , or may ignore the path via 
A altogether if he distrusts A. 



• LU- 



H(MN,MEF)0 
KA(kp) 



is H's trust in kp based on recom- 
mendations via MNO and via MEFO. If H knew 
that P also could be reached via I and via J, he 



MEBD ; r 

tions via EBD. 



• is M's trust in kj based on recommenda- 



If M could find out that there is a 



potential path to J via H, he could have obtained 

MEBD,MHI 
^KAftj) 

(KDB,KL)E . r ,, , . • , 

• ^^x(k M ) 1S trust m ku- 



• w ka(S is M's trust in k K 



A recommendation 
from L is not possible to obtain, because E does 
not trust L for that purpose. 



4.4 Comparison with PGP 

This final section will be used to compare the model 
described here with PGP [9] which is a well known 
method for handling authentication in the Internet. 
The trust model of PGP is perfectly compatible with 
ours, whereas the algebra differs, and we will show that 
an inherent weakness in the way PGP computes trust 
can make users get a false impression of key authentic- 
ity. 

4.4.1 Compatible Trust Models. 

The PGP electronic public key ring is used to store 
the public keys of other users, as well as certificates 
attached to each particular public key. Trust values are 
assigned to three aspects of each key. These aspects 
are the Owner Trust, i.e. how the owner of the key 
is trusted to certify and recommend other keys, the 
Signature Trust, or the trust on the owner of each key 
that was used to certify the key, and finally the Key 
Legitimacy or the actual key authenticity. 

Owner Trust and Signature Trust are measured as 
undefined, unknown user, usually not trusted, usually 
trusted, always trusted and ultimate (the owner is me) , 
and the value is always equal for a particular certifi- 
cate and the owner of the key that signed it. These 
discrete measures can easily be represented as points 
in the opinion triangle as suggested in Fig. 7. a. 

Key Legitimacy is measured as unknown, not trusted, 
marginally trusted and completely trusted. These dis- 
crete measures can also be represented as points in the 
opinion triangle as suggested in Fig.7.b. 

The Key Legitimacy is calculated on the basis of the 
signature trust fields as follows: If at least one Signa- 
ture Trust has value ultimate, the Key Legitimacy is 
set to complete. Otherwise, PGP computes a weighted 
sum of the Signature Trust values. A weight of 1/x 
is given to signatures that are always trusted and 1/y 
to signatures that are usually trusted, where x and y 
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a) "Owner Trust" and "Signature Trust" 
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by the users B, C, D and E whom she trusts with 
value usually trusted. Suppose that A has specified 
that 4 usually trusted or 2 always trusted certificates are 
required to accept the received public key as completely 
trusted, in which case A will have complete trust in G's 
key. Let us now suppose that the certifiers B, C, D 
and E all had received G's key certified by the same 
user F. In that case, their recommendations about G 
are highly dependent, and the certificates sent to A can 
not be considered as coming from different sources. 

Fig. 8 illustrates this situation, where what A sees 
and what really takes place leads to A getting a false 
impression of trust in G's key. 




a) The situation that A sees 



/not trusted •marginal 

complete 

Distrust Trust 
b) "Key Legitimacy" 

Figure 7: Discrete trust values of PGP expressed as 
opinions 



are user configurable parameters. When the total of 
weights reaches 1, the Key Legitimacy is set to com- 
plete, otherwise it is set to marginal. 

The difference between our model and PGP, is that 
in our model the computed Key Authenticity is kept 
as such, instead of using thresholds and adjusting the 
trust to a discrete value. In our model, a threshold 
value can be determined for the use of a key in a partic- 
ular situation, instead of accepting a key as completely 
trusted or marginally trusted once for all. After all, 
different situations involve different risk, and thereby 
require different trust. 

4.4.2 Hidden Dependencies in PGP Trust Val- 
ues. 

As was mentioned in Sec. 3.1, dependence between ar- 
guments in an expression for trust leads to incorrect 
computational results. The way in which webs of trust 
expand with PGP causes recommendations based on 
second-hand evidence to be transferred between users, 
and we will show how this can lead to dependence. 
Let user A receive the public key of user G certified 




b) The real situation which is hidden for A 
Figure 8: Apparent and real trust relationships 

What A in fact computes is ultimately based on only 
one recommendation, namely the one from F, so that 
A's requirement of at least 4 usually trusted or 2 always 
trusted certificates has been violated. 

The problem is caused by the way users use certifi- 
cates to compute their own trust in received keys which 
they in turn certify and pass to others as if the authen- 
ticity of those keys was based on first-hand evidence, 
whereas in reality, it is based on second-hand evidence. 
The only way this can be solved is to only certify keys 
that are trusted with first-hand evidence, or else always 
pass the original certificates unmodified to other users, 
so they themselves can determine their trustworthiness. 

In comparison, a correct analysis of the graph of 
Fig.8.b as seen by A using the certification algebra de- 
scribed in Sec. 4.1 results in the opinion 

(AB,AC,AD,AE)F 
W KA(A G ) 

This would require that A has received certificates di- 



rectly from B, C, D and E containing the public key 
of F with corresponding recommended key authenticity 
and agent trustworthiness, as well as a certificate from 
F containing the public key of G with a recommended 
key authenticity. 

On the other hand, if B, C, D and E recommend 
to A their second-hand opinions about G according to 
Fig. 8. a, then A would compute the opinion 

ABF,ACF,ADF,AEF 
U KA(k G ) 

which as explained in Sec. 4. 2 is incorrect because F's 
opinion about KA(ko) appears four times in the ex- 
pression and thereby violates the requirement of inde- 
pendent opinions. 

5 Conclusion 

In traditional authentication schemes, the key-to-owner 
binding as well as the recommendation trustworthiness 
are trust aspects that are usually part of the initial 
assumptions. However, in the real world these aspects 
can never be absolutely trusted, and assuming absolute 
trust can then be dangerous. We have introduced an 
authentication algebra that takes relative trust in the 
key-to-owner binding and trust in the ability to recom- 
mend into consideration. In order to avoid undesirable 
dependencies, the algebra requires recommendations to 
be based on first-hand evidence only. This does how- 
ever not put any restriction on possible certification 
paths, but simply enforces a particular way of estab- 
lishing such paths. The algebra provides a practical 
solution to the problem of authentication in open net- 
works, and is ready to be implemented in systems. 
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